Vapor (Ransomware)
This article is about the ransomware. For the trojan, see Vapor. Vapor is a ransomware that runs on Microsoft Windows. It was discovered by MalwareHunterTeam. It is aimed at English-speaking users. Payload Transmission Vapor is distriubed by hacking through an insecure RDP configuration, using email spam and malicious attachments, deceptive downloads, botnets, exploits, web injects, fake updates, repackaged and infected installers. Infection Vapor uses a strong encryption algorithm to make the victim's files inaccessible, targeting the user-generated files, which may include a wide variety of file types. It marks all files encrypted by its attack by adding the file extension '.Vapor' to the end of each compromised file's name. Vapor targets the following file types in its infection process: .jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .dat, .csv, .efx, .sdf, .vcf, .xml, .ses, .qbw, .qbb, .qbm, .qbi, .qbr , .cnt, .des, .v30, .qbo, .ini, .lgb, .qwc, .qbp, .aif, .qba, .tlg, .qbx, .qby , .1pa, .qpd, .txt, .set, .iif, .nd, .rtp, .tlg, .wav, .qsm, .qss, .qst, .fx0, .fx1, .mx0, .fpx, .fxr, .fim, .ptb, .ai, .pfb, .cgn, .vsd, .cdr, .cmx, .cpt, .csl, .cur, .des, .dsf, .ds4, .drw, .eps, .ps, .prn, .gif, .pcd, .pct, .pcx, .plt, .rif, .svg, .swf, .tga, .tiff, .psp, .ttf, .wpd, .wpg, .wi, .raw, .wmf, .txt, .cal, .cpx, .shw, .clk, .cdx, .cdt, .fpx, .fmv, .img, .gem, .xcf, .pic, .mac, .met, .pp4, .pp5, .ppf, .nap, .pat, .ps, .prn, .sct, .vsd, .wk3, .wk4, .xpm, .zip, .rar. It then displays a ransom demand pop-up window with a timer. The pop-up window informs Vapor victims that all private data, files, cookies, applications and other information has been encrypted with strong (AES) encryption. According to Vapor developers, the only way to decrypt files is to contact them via the deadhacksteam@gmail.com email address. Note that criminals generally use a Gmail account. This shows their ignorance and lack of experience, since using a public email service (such as Gmail) to make ransom demands is a great way to get caught. Victims are required to provide a unique client ID so that cyber criminals can recognize the individual (a client ID is provided in the pop-up window). According to Vapor developers, once the victim makes contact, they will send a key for successful decryption. Note that they will not provide this free of charge. Furthermore, they urge victims to contact them within 48 hours. If this does not happen, the files will supposedly be deleted when 48 hours has elapsed, or when the computer is restarted or the ransomware process is killed. Clicking the "I GIVE UP" button will also result in permanent data loss. Therefore, the only option Vapor victims are provided with to retain data stored on their computers is to contact cyber criminals within the time frame. Text presented in Vapor ransomware pop-up window: Vapor Ransomware You Have Been Caught. You Cannot Run You Cannot Hide You Aren't Safe Here. What happened To Me? All your private data, files, cookies, application and much more as been encrypted into a strong encryption! The only way to get it back is by sending a support email at this email: deadhacksteam@gmail.com Please make sure your Client ID is included so we can recognise you and send back the key. When its done, enter the key into the key box and enjoy your day / night. You have 48 hours to send the email, if the timer runs out your files will be deleted. If you restart the PC or kill the program, you will never be able to get your files back since they will be re-encrypted if you re-launch the program. Basically closing the program in anyway will result in loosing the key. - Good Luck, Good Time. - DeaDHackS Team! Category:Assembly Category:Ransomware Category:Win32 ransomware Category:Win32 Category:Win32 trojan Category:Microsoft Windows Category:Trojan